Class-based content transfer between devices

ABSTRACT

The present invention relates to a method and a system for distributing information from a distributing device to a receiving device. The idea of the invention is that each device is assigned a class number. When information is to be transferred, the distributing device verifies the class number of the receiving device. If the receiving device has a lower class number than the distributing device, the distributing device is allowed to transfer the content to the receiving device. Preferably this class number represents the number of potential users that has access to the device. The class number can be assigned using a signed certificate. The information to be distributed may be provided with a watermarked class number, the watermarked class number specifying the highest class number that the receiving device can have and still be allowed to receive the information.

The present invention relates to a method and a system for distributinginformation from a distributing device to a receiving device, whereineach device has been assigned a respective level of informationdistribution authorization.

In recent years, the number of content protection systems has grown in arapid pace. Some of these systems only protect the content againstillegal copying, while others also prohibit the user to access thecontent. The first category is called Copy Protection (CP) systems. CPsystems have traditionally been the main focus for consumer electronics(CE) devices, as this type of content protection is thought to becheaply implemented and does not need bi-directional interaction withthe content provider. Some examples are the Content Scrambling System(CSS), the protection system of DVD ROM discs and DTCP, the protectionsystem for IEEE 1394 connections.

The second category is known under several names. In the broadcastworld, systems of this category are generally known as ConditionalAccess (CA) systems, while in the Internet world they are generallyknown as Digital Rights Management (DRM) systems.

Some types of CP systems can also provide services to interface CA orDRM systems. Examples are the systems currently under development by theDVB-CPT subgroup and the TV-Anytime RMP group. The goal is a system inwhich a set of devices can authenticate each other through abi-directional connection. Based on this authentication, the deviceswill trust each other and this will enable/allow them to exchangeprotected content. The accompanying licenses describe which rights theuser has and what operations he is allowed to perform on the content.The license is protected by means of some general network secret, whichis only exchanged between the devices within a certain household. Thisnetwork of devices is called an Authorized Domain (AD).

The concept of authorized domains tries to find a solution that bothserve the interests of the content owners (that want protection of theircopyrights) and the content consumers (that want unrestricted use of thecontent). The basic principle is to have a controlled networkenvironment in which content can be used relatively freely as long as itdoes not cross the border of the authorized domain. Typically,authorized domains are centered around the home environment, alsoreferred to as home networks. Of course, other scenarios are alsopossible. A user could for example take a portable television with himon a trip, and use it in his hotel room to access content stored on hisPersonal Video Recorder at home. Even though the portable television isoutside the home network, it is a part of the user's authorized domain.

A home network can be defined as a set of devices that areinterconnected using some kind of network technology (e.g. Ethernet,IEEE 1394, BlueTooth, 802.11b etc). Although network technology allowsthe different devices to communicate, this is not enough to allowdevices to interoperate. To be able to do this, devices need to be ableto discover and address the functions present in the other devices inthe network. Such interoperability is provided by home networkingmiddleware (HN-MW). Examples of home networking middleware are Jini,HAVi, UPnP, AVC.

The concept of Multilevel Security (MLS) is often used in networks toenable different levels of security within the networks. Informationwith different classification levels are distributed within a networkand users comprised in the network have different security clearancesand authorizations regarding the classified information. By means ofthis concept, users can be prevented from accessing information forwhich they are not authorized.

A problem in prior art, which problem the present invention aims atsolving, is that it is generally considered difficult to preventunauthorized consumers from duplicating and/or distributing copyrighteddigital content. Thus, the problem has the effect that it is difficultto protect the rights of a creator of copyrighted digital content aswell as the rights of a content provider distributing the content. Theproblem can of course be mitigated by employing copy protection, butthen another problem arises, namely that if a user has content on onedevice, the user is not able to copy it to a another device of which heis the sole user.

An object of the present invention is to provide a method and a systemfor straightforward and simple, yet effective, protection of copyrighteddigital content such that the content cannot easily be duplicated and/ordistributed to users and devices not being authorized to access thedigital content Still, an authorized user should be offered someflexibility in that it shall be possible to copy content to personaldevices employed by a limited number of users.

This object is achieved by a method for distributing information from adistributing device to a receiving device, wherein each device has beenassigned a respective level of information distribution authorizationaccording to claim 1 and a system for distributing information from adistributing device to a receiving device, wherein each device has beenassigned a respective level of information distribution authorizationaccording to claim 10. Preferred embodiments are defined by thedependent claims.

According to a first aspect of the invention, a method is provided inwhich a level of information distribution authorization is denoted bymeans of a class number assigned to a device. When distribution ofinformation is to be effected from the distributing device to thereceiving device, the class number of the receiving device is verified.If the receiving device has a lower class number than the distributingdevice, information is distributed from the distributing device to thereceiving device.

According to a second aspect of the invention, a system is provided inwhich each device in the system has been assigned a respective level ofinformation distribution authorization by means of a class number. Adistributing device contained in the system is arranged with means forverifying, when distribution of information is to be effected from thedistributing device to a receiving device in the system, the classnumber of the receiving device. The distributing device is furtherarranged with means for distributing information to the receiving deviceif the receiving device has a lower class number than the distributingdevice.

The idea of the invention is that a device is assigned a level ofinformation distribution authorization in the form of a class number.Preferably this class number represents the number of potential usersthat has access to the device. For example, a personal MP3 player hasfewer potential users than a CD player accessible to all members of ahome network. This implies that the CD player has a higher class numberthan the MP3 player. Whether a higher class number indicates a largernumber of users is a question of definition and, if desirable, a highclass number could be chosen to indicate a low number of users. However,throughout this description, the higher the class number, the larger thenumber of potential users. This will not limit the invention in any way,as it is clear that both definitions given above regardingclassification is possible. When information in the form of copyrighteddigital content is to be transferred from a distributing device to areceiving device, the distributing device verifies the class number ofthe receiving device. If the receiving device has a lower class numberthan the distributing device, the distributing device is allowed totransfer the content to the receiving device.

The present invention is advantageous, since it offers protection ofcopyrighted digital content on one hand and flexibility for anauthorized user on the other. Content can be copied and distributed, butonly in such a way that the copy is distributed to a device having alower class number than the distributing device. The lower class numberindicates that the device is intended to be used by a more limitednumber of users. It is only possible to distribute content to areceiving device having a lower class number than the distributingdevice. A CD player can, for example, be given class number 2 and apersonal MP3 player class number 1. This allows a user to copy contentto a smaller device for personal use. This does not harm the contentcreator and/or the content provider, and it gives the user some degreeof flexibility.

According to an embodiment of the invention, when assigning a classnumber to a device, the ability of the device to distribute informationto other devices is considered. The easier it is for the device totransfer information to another device, the higher the class number.This is advantageous, since even though a device has a low number ofpotential users, the device, or a sub device contained in the device,might have the ability to spread information in an easy manner. Forexample, a PC might have a rather limited number of potential users.However, a network card contained in the PC connected to the Internetcan be used to rapidly broadcast information worldwide. The network cardcan thus be given a high class number while a personal hard disk in thesame PC is given a low class number. By using the classification for thenetwork card and the hard disk comprised in the PC, it is possible for auser to copy content to the hard disk, but not to transfer it from thehard disk to the network card connected to the Internet.

According to another embodiment of the present invention, for a deviceto qualify itself as an information recipient or distributor, the devicemust be assigned a digitally signed class number. By using the signedclass number as an identifier, it is not possible for ill-intentionedthird parties to introduce unauthorized devices, since the device isauthorized by means of the digital signature.

According to yet further embodiments of the invention, the assignment ofa class number to a device can either be performed by a devicemanufacturer, or a subcontractor authorized by the manufacturer, or by ahome network supervisor, in which home network the device is to becomprised. If the assignment is made by the manufacturer, securityagainst attacks from malicious third parties can be assumed to behigher, since the authority to handle for example class numbers andencryption/decryption keys is not spread out over several parties,thereby reducing the risk of sensitive information leakage. On the otherhand, if the network supervisor is allowed to handle the assignment, thenetwork becomes a lot more flexible.

Further features of, and advantages with, the present invention willbecome apparent when studying the appended claims and the followingdescription. Those skilled in the art realize that different features ofthe present invention can be combined to create embodiments other thanthose described in the following. Many different alterations,modifications and combinations will become apparent for those skilled inthe art The described embodiments are therefore not intended to limitthe scope of the invention, as defined by the appended claims.

A detailed description of embodiments of the present invention will begiven in the following with reference made to the accompanying drawings,in which;

FIG. 1 schematically shows a system comprising devices interconnectedvia a network, in which system the present invention advantageously canbe applied;

FIG. 2 schematically shows a CE device implementing an embodiment of thepresent invention;

FIG. 3 schematically shows an embodiment of the present invention whencontent is transferred from a distributing device to a receiving device;and

FIG. 4 shows a flow chart of an embodiment of the method according tothe present invention.

FIG. 1 schematically shows a system 100 comprising devices 101-105interconnected via a network 110. In this embodiment, the system 100 isan in-home network. Note the system embodies other types of networks aswell, such as networks in large-scale enterprises or universitynetworks, a typical digital home network includes a number of devices,e.g. a radio receiver, a tuner/decoder, a CD player, a pair of speakers,a television, a VCR, a tape deck, and so on. These devices are usuallyinterconnected to allow one device, e.g. the television, to controlanother, e.g. the VCR One device, such as the tuner/decoder or a set topbox (STB), is usually the central device, providing central control overthe others.

Content, which typically comprises things like music, songs, movies, TVprograms, pictures, books and the like, but which also includesinteractive services, is received through a residential gateway or settop box 101. Content could also enter the home via other sources, suchas storage media as discs or via portable devices. The source could be aconnection to a broadband cable network, an Internet connection, asatellite downlink etc. The content can then be transferred over thenetwork 110 to a sink for rendering. A sink can be, for instance, thetelevision display 102, the portable display device 103, the mobilephone 104 and/or the audio playback device 105.

The exact way in which a content item is rendered depends on the type ofdevice and the type of content. For instance, in a radio receiver,rendering comprises generating audio signals and feeding them toloudspeakers. For a television receiver, rendering generally comprisesgenerating audio and video signals and feeding those to a display screenand loudspeakers. For other types of content a similar appropriateaction must be taken. Rendering may also include operations such asdecrypting or descrambling a received signal, synchronizing audio andvideo signals and so on.

The set top box 101, or any other device in the system 100, may comprisea storage medium S1 such as a hard disk, allowing the recording andlater playback of received content The storage medium S1 could be aPersonal Digital Recorder (PDR) of some kind, for example a DVD+RWrecorder, to which the set top box 101 is connected. Content can alsoenter the system 100 stored on a carrier 120 such as a CD a DVD.

The portable display device 103 and the mobile phone 104 are connectedwirelessly to the network 110 using a base station 111, for exampleusing Bluetooth or IEEE 802.11b. The other devices are connected using aconventional wired connection. To allow the devices 101-105 to interact,several interoperability standards are available, allowing differentdevices to exchange messages and information and to control each other.One well-known standard is the Home Audio/Video Interoperability (HAVi)standard, version 1.0. Other well-known standards are the domesticdigital bus (D2B) standard, a communications protocol described in IEC1030 and Universal Plug and Play.

It is important to ensure that the devices 101-105 in the home networkdo not make unauthorized copies of the content. To do this, a securityframework, typically referred to as a DRM system, is necessary. In onesuch framework, complying with the features of the present invention,each device in the network is assigned a class number representing thenumber of potential users that has access to the device. For example,the personal portable display device 103 has fewer potential users thanthe set top box 101 accessible to all members of the home network. Thisimplies that the set top box 101 has a higher class number than thedisplay device 103. When information in the form of copyrighted digitalcontent is to be transferred from a distributing device, e.g. the settop box 101, to a receiving device, e.g. the personal portable displaydevice 103, the distributing device verifies the class number of thereceiving device. In this case, the receiving device has a lower classnumber than the distributing device, so the set top box 101 is allowedto transfer the content to the personal portable display device 103. Ifthe device 103 was to try to transfer content to the set top box 101,the device 103 would not be allowed to do so, since the set top box 101has a higher class number than the device 103.

Using this framework, as will be described in the following,cryptographical operations will be employed in connection with contentdistribution. The devices can authenticate each other and distributecontent securely by means of encrypting the content This preventsunprotected content from leaking “in the clear” to unauthorized devicesand data originating from untrusted devices to enter the system.

It is important that devices only distribute content to other deviceswhich they have successfully authenticated beforehand. This ensures thatan adversary cannot make unauthorized copies using a malicious device. Adevice will only be able to successfully authenticate itself if it wasbuilt by an authorized manufacturer or an authorized subcontractor, forexample because only authorized manufacturers know a particular secretnecessary for successful authentication, or their devices are set-up bya trusted network supervisor.

FIG. 2 schematically shows a CE device in the form of an audio playbackdevice 201 implementing an embodiment of the present invention. Theplayback device 201 contains a CPU 202 or an equivalent device withprocessing capabilities, such as a programmable logic device (PLD), anapplication specific integrated circuit (ASIC) or the like. The device201 also contains a storage device 202 in the form of a memory forstoring software required to perform cryptographical operations and forstoring data such as class numbers and cryptographical keys. It shouldbe realized that all devices are required to comprise processingcapabilities and storage devices in order to implement the invention. Inproduction, the device 201 is assigned a class number representing thenumber of potential users having access to the device. According to anembodiment of the invention, when assigning the class number to thedevice, the ability of the device to distribute information is alsotaken into account. Preferably, the class number is encrypted with aprivate, asymmetric key of the device 201, which attaches a digitalsignature to the class number. A criteria known as non-repudiation isthen satisfied, i.e. the sender of the information cannot at a laterstage deny the information transmission. Alternatively, the class numberis encrypted using a symmetric key, in which case authentication isprovided. Note that the asymmetric encryption procedure goes one stepbeyond the symmetric encryption procedure in that it, in addition toproviding authentication, also provides non-repudiation. The providingof authentication and/or non-repudiation can be done using powerfulstandard algorithms, such as the Triple Data Encryption Standard (3-DES)algorithm, the Advanced Encryption Standard (AES) algorithm or theInternational Data Encryption Algorithm (IDEA) for symmetric encryptionand, for example, the Diffie-Hellman (DH) algorithm or theRivest-Shamir-Adleman (RSA) algorithm for asymmetric encryption. Thisensures another device communicating with the device 201 that the classnumber of has been issued by a trusted manufacturer.

As mentioned earlier, the actual assignment of a class number to adevice can be performed by an authorized subcontractor or a trustednetwork supervisor. When considering who to make the actual assignment,a tradeoff has to be made between system security on the one hand andflexibility on the other. If the assignment is made by the manufacturer,the security against attacks by malicious third parties can be assumedto be higher, since the task of handling for example class numbers andencryption/decryption keys is performed by one party. On the other hand,if the network supervisor is allowed to handle the assignment, thenetwork becomes a lot more flexible, since the supervisor most likelyknows the network and the devices included therein. Who actuallyperforms the assignment of class numbers is an agreement which must beconcluded by the device manufacturer, the network owner and possibly theprovider of copyrighted content.

FIG. 3 schematically shows an embodiment of a system 300 according tothe present invention. In FIG. 3, content is to be transferred from adistributing device 301 to a receiving device 302. A connection 303 isestablished between the distributing device, in this case an audioplayback device 301, and the receiving device, in FIG. 3 a portable MP3player 302. The connection 303 consists in this specific embodiment of acable intended for transportation of MP3 files. In other envisagedembodiments, the distributing device and the receiving device might bedevices incorporating radio receivers, in which case the connection 303might be established using RF.

FIG. 4 shows a flow chart of an embodiment of the method according tothe present invention. In step 401, when connection has been establishedbetween the distributing device (DD) and the receiving device (RD), theCPU (not shown) of the DD executes appropriate software to verify theclass number of the RD. This is performed by means of decrypting theencrypted class number. The encryption is performed with a symmetric keyshared by the DD and the RD, or a public key which corresponds to theprivate key of the RD, depending on which type of encryption that isemployed. The distribution of keys can be handled by the devicemanufacturer, but as in the case with assignment of the class numbers,this can possibly be done by an authorized subcontractor or a trustednetwork supervisor, or a trusted third party. In step 402, the DDdecides whether the class number of the RD is lower than its own classnumber. If the class number of the RD is equal to, or higher than, theclass number of the DD, the method terminates at step 403 and notransmission of content from the DD to the RD will be effected.

If, in step 402, the DD decides that the class number of the RD is lowerthan its own class number, the method continues to step 404, wherein theDD distributes copyrighted content to the RD. Depending on the level ofsecurity deemed necessary in the system, the content can be encrypted atthe DD in connection with being distributed, thereby providing thecontent with confidentiality. Alternatively, the content has beenencrypted beforehand. The encryption is either performed with asymmetric key shared by the DD and the RD or with a public keycorresponding to a private key of the RD. If the content is encrypted,the RD will decrypt it at step 405. In analogy with the encryption, thecontent is either decrypted with the symmetric key shared by the DD andthe RD or with the private key of the RD, which private key correspondsto the public key used in the encryption. In step 405, after thedecryption, the content is in plaintext, and the RD is free to accessit.

Alternatively, a separate verification device (not shown) can bearranged to perform the verification of class numbers, whereby a greatdeal of processing load is transferred from the receiving device to theverification device. The verification device can also store anddistribute keys used in connection to the cryptographic operations. Thiscan be advantageous if a network comprises many receiving anddistributing devices, since the distributing devices can be lesscomplex. In large-scale networks, a number of verification devices canbe arranged.

According to yet another embodiment of the present invention, thecontent distributed from a distributing device to a receiving device issubject to watermarking. This is preferably performed at the contentdistributor or the device manufacturer or in cooperation between thesetwo actors. By performing a watermarking operation on a class number andinserting the watermarked class number into the content, it is possibleto specify the highest class number that a device can have and still beallowed to receive the watermarked content. If a malicious third partyprocures a device with a high class number, this third party candistribute content to a great number of other devices. By usingwatermarks, the content itself decides if it can be distributed to areceiving device. Assuming that a certain content is assigned thewatermarked class number 3 and a receiving device has class number 4, itis not possible to distribute the content to the device. In fact, it isnot possible to distribute the content to a device having a class numberthat is higher than the watermarked class number comprised in thecontent The watermarked class number is validated by a device CPUexecuting appropriate software.

Watermarking is advantageous, since illegally owning a device with ahigh classification in order to broadcast copyrighted content becomesuseless, because the content itself determines by means of thewatermarking operation at which level it can be introduced in a networkof classified devices.

It should be noted that the above mentioned embodiments exemplify theinvention, and that those skilled in the art will be able to design manyalternative embodiments without departing from the scope of the appendedclaims. For example, class numbers could be assigned based on howexpensive a device is, or classes could be assigned based on certainproperties of the devices in a class. One embodiment of this optioncould be to use class ‘2’ for servers, class ‘1’ for stationary devicesand class ‘0’ for mobile devices.

The word “comprising” does not exclude the presence of elements or stepsbeyond those listed in a claim. The word “a” or “an” preceding anelement does not exclude the presence of a plurality of such elements.In the system claims enumerating several means, several of these meanscan be embodied by one and the same item of hardware.

1. A method for distributing information from a distributing device(301) to a receiving device (302), wherein each device has been assigneda respective level of information distribution authorization, the methodbeing characterized in that: a level of information distributionauthorization is denoted by means of a class number; and in that themethod comprises the steps of: verifying (401), when distribution ofinformation is to be effected from the distributing device (301) to thereceiving device (302), the class number of the receiving device (302);and distributing (404) information from the distributing device (301) tothe receiving device (302) if the receiving device (302) has a lowerclass number than the distributing device (301).
 2. The method accordingto claim 1, wherein the class number assigned to a device (301, 302)corresponds to the ability to distribute information from said device toanother device, a lower class number indicating a lower ability todistribute (404) information.
 3. The method according to claim 1,wherein at least part of the information to be distributed (404) fromthe distributing device (301) to the receiving device (302) is encryptedsuch that said receiving device (302) is able to decrypt the encryptedinformation if the receiving device (302) has a lower class number thanthe distributing device (301).
 4. The method according to claim 1,wherein a device (301, 302) must be assigned a digitally signed classnumber to qualify itself as an information distributor and receiver. 5.The method according to claim 1, wherein the devices (301, 302) arearranged in a home network (100).
 6. The method according to claim 5,wherein the class numbers are assigned to the devices (301, 302) by ahome network supervisor.
 7. The method according to claim 1, wherein theclass numbers are assigned to the devices (301, 302) by a devicemanufacturer.
 8. The method according to claim 1, wherein different subdevices contained in a device (301, 302) can be assigned different classnumbers.
 9. The method according to claim 1, wherein the information tobe distributed from a distributing device (301) to a receiving device(302) is provided with a watermarked class number, the watermarked classnumber specifying the highest class number that the receiving device(302) can have and still be allowed to receive the information.
 10. Asystem (300) for distributing information from a distributing device(301) to a receiving device (302), wherein each device (301, 302) hasbeen assigned a respective level of information distributionauthorization, the system (300) being characterized in that: each device(301, 302) is arranged with a class number; the distributing device(301) is arranged with means (202, 203) for verifying, when distributionof information is to be effected from the distributing device (301) tothe receiving device (302), the class number of the receiving device(302); and the distributing device (301) is arranged with means (202)for distributing information to the receiving device (302) if thereceiving device (302) has a lower class number than the distributingdevice (301).
 11. The system (300) according to claim 10, wherein theclass number assigned to a device (301, 302) moreover corresponds to theability to distribute information from said device to another device, alower class number indicating a lower ability to distribute information.12. The system (300) according to claim 10, wherein the distributingdevice (301) is arranged to encrypt at least part of the information tobe distributed from the distributing device (301) to the receivingdevice (302) such that said receiving device (302) is able to decryptthe encrypted information, if the receiving device (302) has a lowerclass number than the distributing device (301).
 13. The system (300)according to claim 10, wherein a device (301, 302) is arranged with adigitally signed class number to qualify itself as an informationdistributor and receiver.
 14. The system (300) according to claim 10,wherein the devices (301, 302) are arranged a home network (100). 15.The system according to claim 14, wherein the class numbers are assignedto the devices (301, 302) by a home network supervisor.
 16. The systemaccording to any one of claims claim 10, wherein the class numbers areassigned to the devices (301, 302) by a device manufacturer.
 17. Thesystem according to claim 10, wherein different sub devices contained ina device 1, 302) can be assigned different class numbers.
 18. The systemaccording to claim 10, wherein the information to be distributed from adistributing device (301) to a receiving device (302) is provided with awatermarked class number, the watermarked class number specifying thehighest class number that the receiving device (302) can have and stillbe allowed to receive the information.